The Tor Relay Security document suggests deleting keys upon reboot to prevent one-time key theft. I have tried to do this in Raspbian via cron but have been unsuccessful. The cronjob I have running is: @reboot rm -f /var/lib/tor/keys/* && echo "keys gone!" > /home/[me]/reboot.txt 2>&1 I have the echo as a debugger. When I changed /var/lib/tor/keys/* to /home/[me]/test/* the job runs successfully. When changing it back to /var/lib/tor/keys/* it does not. Is this something I should resolve? If so, is there something with my cronjob that's preventing it from working?
Permission issues and your shell pipeline... test it via your cli under whatever shell is in effect. If you want the keys gone on reboot, put them on a ramdrive. Read up on swap memory and cold boot attacks first. You might be able to remove them right after tor start.
On 04/22/2015 06:29 AM, CJ Barlow wrote:
@reboot rm -f /var/lib/tor/keys/* && echo "keys gone!" > /home/[me]/reboot.txt 2>&1
What's about rm -f /var/lib/tor/keys/* 2>&1 >> /home/[me]/reboot.txt to see the error msg ? -- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E -- "; the past is all dirty and cruel in the modern popular imagination, with the exception of the Romans, who are just cruel" Ian Mortimer, 2008, "The Time Traveller's Guide to Medieval England"
If I run rm -f /var/lib/tor/keys/* 2>&1 >> /home/[me]/reboot.txt it doesn't error (as long as I run it with sudo) but it also doesn't do anything, checking *keys *shows it still contains files. I read the RAM disk tutorial that is linked on the Tor Relay Security page, what I don't understand is how the keys are created and stored solely in RAM. When launching tor for the first time (say "sudo apt-get purge Tor" then "sudo apt-get install Tor") the *keys* folder does not exist. Would I just mount the whole /var/lib/tor folder in RAM instead or is there a better way to do it? On Wed, Apr 22, 2015 at 6:06 AM, Toralf Förster <toralf.foerster@gmx.de> wrote:
On 04/22/2015 06:29 AM, CJ Barlow wrote:
@reboot rm -f /var/lib/tor/keys/* && echo "keys gone!" > /home/[me]/reboot.txt 2>&1
What's about
rm -f /var/lib/tor/keys/* 2>&1 >> /home/[me]/reboot.txt
to see the error msg ?
-- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E -- "; the past is all dirty and cruel in the modern popular imagination, with the exception of the Romans, who are just cruel" Ian Mortimer, 2008, "The Time Traveller's Guide to Medieval England" _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, 22 Apr 2015 22:56:31 +0000, CJ Barlow wrote:
If I run
rm -f /var/lib/tor/keys/* 2>&1 >> /home/[me]/reboot.txt
it doesn't error (as long as I run it with sudo) but it also doesn't do anything,
You might do (ls -lart /var/lib/tor/keys echo /var/lib/tor/keys/* rm -f /var/lib/tor/keys/* ls -lart /var/lib/tor/keys ) 2>&1 >> /home/[me]/reboot.txt too see if it does (and match) anything.
checking *keys *shows it still contains files.
Sure that those aren't already regenerated keys from a new tor instance? Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800
On Thu, Apr 23, 2015 at 12:56 AM, CJ Barlow <iamthechong@gmail.com> wrote:
rm -f /var/lib/tor/keys/* 2>&1 >> /home/[me]/reboot.txt
This dupes stderr to stdout first which is still your screen, -f squelches various errors, and rm doesn't emit any stdout unless some option like -v. So nothing is logged.
just mount the whole /var/lib/tor folder in RAM instead or is there a better
Can put all DataDirectory or HiddenServiceDir there. Can play with mountpoints, symlinks, rm, or backups if you want to preserve some things. Tor doesn't have a lot of knobs here.
participants (4)
-
Andreas Krey -
CJ Barlow -
grarpamp -
Toralf Förster